Enterprise network security is a significant issue, as the rise of the Internet allows security attacks to be mounted on a large scale from anywhere in the world. It is common to find individuals and groups attempting to breach the security barriers at many large and small corporations in order to gain access to both sensitive customer data and internal business records, as well as to mount Denial of Service (DoS) attacks to hinder or cripple day-to-day operations. In response, enterprises employ sophisticated security mechanisms and install specialized security devices to thwart such breaches and attacks. Such security mechanisms and devices may range from simple network firewalls that act as walls to keep out intruders, to highly complex Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) that intercept and examine every packet traversing the corporate Internet access link to catch and eliminate these attacks.
FIG. 1 depicts a typical security defense scenario that may be implemented, for instance, at a corporate main office. As shown in FIG. 1, corporate main office 10 may be connected to the Internet 11 through security device 12 that may implement one or more network security measures, such as firewalling, intrusion detection and prevention, virus filtering, DoS prevention, etc. Security device 12 may pass analyzed and filtered traffic to router 13, which may be connected to LAN 14 on which may reside (for the purposes of illustration) protected device 15 and protected data 16. As represented in the figure, an outside attacker 17 may attempt to mount an attack 18 against the corporate main office 10. However, security device 12 may determine that an attack has been mounted, possibly by inspecting the network traffic arriving from Internet 11, and may thwart the attack by discarding packets from or to attacker 17 while still continuing to forward non-attack traffic.
The number of different types of attacks and exploits, however, are known to increase constantly as time progresses. Not only do attackers find new security vulnerabilities to penetrate, but the introduction of different kinds of software and new models of hardware expose new areas where attackers may focus. In addition, the configuration and maintenance of security devices (such as security device 12 in FIG. 1) is a complex and ongoing task. In response to new attacks becoming known, security devices may need to be reconfigured or updated with new firmware. Such reconfigurations or firmware updates may result in unexpected security vulnerabilities being introduced. Further, changes in the LAN topology or equipment (e.g., changes to router 13 or LAN 14 in FIG. 1) may create unexpected problems with security. As a consequence, it may be necessary to perform periodic security scans and assessments of the security devices and network equipment at an enterprise location. As it may not be practicable to shut down the enterprise while these scans are being performed, the systems and topologies may have to be tested while live traffic is running; i.e., it may be necessary to perform online testing of the security posture.
With reference to FIG. 2, a representation of a possible online test setup is depicted. Corporate main office 10 connected to Internet 11 with security device 12 interposed between Internet 11 router 13 may utilize online tester 20 to conduct periodic security assessments and determine that an adequate security posture is being maintained. Such attacks may simulate the effect of attack traffic arriving from Internet 11 and directed at protected device 15 or protected data 16, which are connected via LAN 14 to router 13. Attack simulation may be conducted by generating simulated attack traffic 23 from attack generator 21 within online tester 20. Attack traffic 23 may be injected into security device 12 on its Internet-facing side. If security device 12 is improperly configured or has unexpected vulnerabilities, some fraction of attack traffic 23 may be inadvertently allowed to pass through as “leaking” attack traffic 24. Attack checker 22 may simulate a protected entity, such as protected device 15 or protected data 16, and may receive the leaking attack traffic 24, and this may effectively indicate that an attacker could gain access to an actual protected device as a result. Online tester 20 may then determine the vulnerabilities of security device 12 by comparing the generated attack traffic 23 with leaking attack traffic 24, and may create a report detailing the problems. These problems in security device 12 may then be addressed and solved before an actual attacker attempts to penetrate the network from the Internet.
Online tester 20 may generally be caused to run simulated attacks and determine vulnerabilities from time to time, rather than on a continuous basis. For instance, online tester 20 may be set up to perform a simulated attack every night when the level of activity in corporate main office 10 is low. Alternatively (or in addition) online tester 20 may be set up to perform a simulated attack after a new software version has been loaded into security device 12 or router 13, or after the network or devices have been reconfigured. In general, the objective of using online tester 20 may generally be to detect and close off security “holes” before they become an actual problem.
Another possible capability of online tester 20 that may be deduced from FIG. 2 is the ability to test for exfiltration of data. In certain cases, it may be possible for an attacker to break through the defenses and reach LAN 14 with the known or unwitting co-operation of an existing user on the LAN; for example when a trusted computer used by an employee at corporate main office 10 has been infected with a virus, causing it to fetch protected data 16 and direct it towards an attacker waiting to receive it on Internet 11. Security device 12 may be configured to detect such exfiltration of data and intercept the traffic, thereby preventing the data loss. Online tester 20 may likewise be configured to verify that security device 12 is properly configured and functioning by simulating the signature of the data being exfiltrated (using attack generator 21), injecting traffic into router 13, and detecting (using attack checker 22) whether the exfiltrated data is observed at the Internet-facing side of security device 12.
The exemplary arrangement of corporate main office 10 defended by security device 12 may usually be sufficient when the only source of attacks is from a single point, viz. Internet 11. In this case, simply defending against attacks from that single point may be adequate to fully protect the resources on the internal network. However, the recent trend is to link one or more branch offices to corporate main offices via the internet using Virtual Private Networks (VPNs). VPNs may be used to extend the internal network within the corporate main office to branch offices, such that users at either office may easily and efficiently gain access to all corporate resources and data. Unfortunately this may lead to significant limitations with regard to security testing, as compared to the scenario outlined in FIG. 2.
Turning to FIG. 3, a high-level view of a corporate main office 50 interconnected with a geographically remote branch office 51 through VPN 52 traversing the Internet 53 is depicted. Corporate main office 50 itself may be connected to the Internet (to permit employee access to Internet resources); this may be represented as a connection to Internet 67. (It should be understood that Internet 67 and Internet 53 are one and the same Internet, and are drawn separately for convenience in representation and explanation.) To defend against attacker 68 that may mount attack 69 from Internet 67, the corporate main office may install security device 55 to secure all traffic being sent to and from router 56, which maintains LAN 57 on which may reside protected device 58, protected data 59, and VPN device 60. VPN device 60 at corporate main office 50 may establish a VPN (an encrypted logical tunnel) 52 through Internet 53 to its counterpart VPN device 61 at branch office 51. VPN device 61 may be connected to branch office router 62, which may also connect to remote protected entities located at the branch office such as protected device 65 and protected data 66. The combination of VPN devices 60 and 61 along with the VPN tunnel 52 that they establish is used to link router 62 at the branch office with LAN 57 at corporate main office 50. This may have the desirable effect of allowing employees at corporate main office 50 to see protected data 66 and interact with protected device 65. It may also have the desirable effect of allowing employees at branch office 51 to interact with protected device 58 and see protected data 59 at corporate main office 50.
However, branch offices may frequently have other entities on their networks than simply router 62 with protected device 65 and protected data 66. For example, it may be advantageous to install wireless access point (AP) 64 to provide branch office employees with wireless access to the complete corporate network. This may then open up a new point of vulnerability in the corporate enterprise: attacker 70 that possesses a wireless device 71 and located in proximity to branch office 51 may be able to mount attack 72 over the wireless link to AP 64, in order to try to gain unauthorized access to protected device 65 and protected data 66. In fact, due to the existence of VPN tunnel 52 linking branch office 51 with corporate main office 50, attacker 70 (if successful) may gain access to the entire corporate network and resources through a successful attack on AP 64.
To guard against this possibility, a second security device 63 may be interposed between access point 64 and router 62. Security device 63 examines all traffic arriving from and destined to wireless AP 64 (and thence to the wireless LAN), and intercepts and discards known attack traffic while letting normal traffic pass. In this case, attack traffic 72 from attacker 70 is intercepted and prevented from reaching router 62, foiling the attack.
However, it is apparent from FIG. 3 that a serious problem may exist with regard to analyzing and reporting the security posture of the overall system by an online test approach such as that exemplified in FIG. 2. Firstly, the existence of AP 64 may create a new type of entry point for attack: a wireless entry point. Unlike security device 55 (or security device 63) which has wired ports and thus may be easily connected to an online tester, such as online tester 20 in FIG. 2, the entry point for attacks created by AP 64 may not easily addressed by an online tester. Secondly, the physical separation between corporate main office 50 and remote branch office 51 may make it very difficult to assess the overall security posture of the corporate network. No known approach in the prior art permits the attack traffic generated by an online tester, such as by attack generator 21 of online tester 20 in FIG. 2, to be caused to traverse the complete network represented in FIG. 3 and still return to an attack checker, such as attack checker 22 in FIG. 2. However, without completing the loop and checking the generated attacks, it may not be possible to determine which attacks have succeeded and which attacks have failed. Yet at the same time, it may be highly desirable to test the complete security system formed by security device 63 and router 62 in conjunction with security device 55 and router 56.
Turning now to FIG. 4, another issue is illustrated that may arise from the need to provide direct Internet access at the branch office. This may be driven by the need to conserve bandwidth on the VPN tunnel joining two sites, as well as the reduce the load on the Internet uplink at the corporate main office; rather than direct normal Internet traffic through the VPN tunnel, this traffic may be bypassed directly to the Internet at the branch office. For example, FIG. 4 may represent a corporate main office 50 and remote branch office 51 interconnected over Internet 53 via VPN tunnel 52, established between VPN devices 60 and 61. Branch office 51 may, however, have its own connection to Internet 81 to avoid sending direct Internet traffic down VPN tunnel 52. In this case, only the internal corporate traffic may need to traverse the VPN tunnel.
To prevent the direct connection to Internet 81 at the branch office from becoming a security hazard, however, security device 80 may be interposed between branch office router 62 and Internet 81 to intercept and filter traffic to and from the Internet. This may foil attacker 82 which may be directing attack traffic 83 at branch office 51. In addition, security device 55 may be interposed between corporate main office router 56 and Internet 67, to stop attack traffic 69 originating from attacker 68 from reaching LAN 57 and thereby compromising protected device 58 and protected data 59. Finally, security device 63 may be placed at branch office 51 between router 62 and wireless AP 64 to defend against attacker 70 with wireless device 71 from mounting attack 72 wirelessly. (It should be noted that Internet 67, Internet 53 and Internet 81 are all logically the same Internet, but are drawn as three separate elements for representational clarity and to simplify the description.)
The presence of security device 80 to defend against attacks from direct branch office connection to Internet 81 may add yet another dimension to the problem of online security attack testing. It may be desirable to determine whether security device 80 may prevent the exfiltration of data from branch office 51 to the Internet 81, should attacker 70 successfully mount attack 72 through wireless AP 64. For example, security device 80 may be configured to determine when protected data 66 is being exfiltrated to Internet 81, and intercept and prevent the exfiltration. This may, however, be very difficult to test with an online tester without physically locating the tester at remote branch office 51. However, the cost and complexity of an online tester, such as online tester 20 in FIG. 2, may render this prohibitively expensive. This may be particularly true in situations where there are hundreds or thousands of relatively small remote branch offices associated with one or a few corporate main offices.
A significant limitation of online testers as known in the art is the difficulty of separating the attack generation function from the attack checking function. It may not be possible to generate anything more than a trivial “stateless” security attack without significant synchronization and linkage between the attack generation and the attack checking. High-level security attacks may require complex sequences of packet handshakes, wherein the next packet to be transmitted depends on the last packet that was received; thus the packet sequence is dictated not only by the properties of the attack being conducted but also by the response of the device or network under test, such as security device 12 in FIG. 2. Thus physically separating attack generator 21 from attack checker 22 in online tester 20 in FIG. 2 is not practical using the methodologies heretofore known. However, such a physical or logical separation is required for the case of remote branch offices, where the source of the attack may be geographically separated from the target of the attack.
It may be apparent from the foregoing discussion that current methods of performing online security posture testing may not be adequate for network topologies involving a corporate main office and one or more remote branch offices interconnected by means of VPNs. Current methods may result in excessive cost or complexity when attempting to perform such testing, and may be very difficult to implement without expensive equipment and trained personnel being physically present at the remote branch office. It may further be apparent that current techniques for online security testing may not be easily applicable to remote branch offices containing wireless access points. It may yet further be apparent that current approaches to online security testing may be difficult to apply to remote branch offices that may provide direct connections to the Internet in addition to VPN tunnels to the corporate main office.
There is hence a need for improved online security testing systems and methods.